Russian Cozy Bear Strikes European Embassies With WinRAR BugGroup Leverages Legitimate Ngrok Tool to Communicate With the Malicious Server
Russian state hackers targeted European embassies and international organizations in espionage attacks exploiting a recently patched vulnerability in a popular Windows utility for archiving files, said Ukrainian government cybersecurity researchers.
Ukraine's National Cyber Security Coordination Center in a report accused hackers from Russia's Foreign Intelligence Service known as APT29 or Cozy Bear of orchestrating attacks against the embassies of a slew of countries including Azerbaijan, Greece, Romania and Italy. Cyber defenders say threat actors also attacked Greek internet provider Otenet.
The cybersecurity center said a thread connecting the victims is "significant political and economic ties with Azerbaijan." The campaign occurred during the lead-up to Azerbaijan's military operation in an Armenian ethnic enclave known as Nagorno-Karabakh or Artsakh that resulted in mass evacuation of the populace away from Azerbaijan (see: State-Sponsored Attackers Targeting Armenians, Apple Warns).
The campaign, which Kyiv said began in September, employed tactics reminiscent of earlier APT29 campaigns, including an April attack on embassies. The threat actor also targeted European governments in a six-month espionage campaign (see: European Governments Targeted in Russian Espionage Campaign)
The threat actors sent phishing emails to more than 200 email addresses containing a link to a PDF document and a malicious ZIP file to exploit a vulnerability in file archiver tool WinRAR that's tracked as CVE-2023-38831. Vendor RARLabs released a patch on Aug. 2 but defenders, including Google's Threat Analysis Group, warned months later that government hacking groups were continuing to exploit the flaw (see: Nation-State Hackers Exploiting WinRAR, Google Warns).
The flaw allows attackers to force Windows into executing malware by disguising it as a folder with the same name as a benign file. Hackers used phishing emails claiming to contain information about the sale of a BMW auto, a tactic they had previously employed.
APT29 also used an Ngrok static domain to host a command-and-control server, a novel technique that with minimal effort converts the development tool, ordinarily meant to expose a local development server to the internet, into a way to obfuscate hacking activity. Ngrok makes a locally hosted web server appear to be on an ngrok.com subdomain.
The campaign "is a stark reminder that cyberespionage is a tool of statecraft, and its reach extends to diverse regions and sectors," the report says.